When setting up protonvpn-cli, it asks if I want to "Decrease OpenVPN privileges". What does it mean? Should I choose yes or no?

hi Glosoli!

Please know that I am new to linux although I have used VPN (especially OpenVPN) for a long time in windows. So please take the following as considerations rather than advice coming from a knowledgable user. saying that....

Normally OpenVPN runs as root, it sounds as if protonvpn-cli configures ovpn to run with lower privilege, probably by invoking --user and --group settings and as long as protonvpn-cli script implements this correctly there should be no issue. However, if not done correctly then your vpn may not be able to reconnect in that session, since it would no longer have permissions required to. To maqke matters worse, if VPN drops for any reason, coupled with a failure to reconnect you may end up with a straight through to the internets connection has happened in the background to restore internet connectivity unless precautions are taken to block all connections except those through the VPN (TUN or TAP) adapter.

Couple considerations for you:
Is there a reason you want to use the protonvpn-cli instead of Network Manager (NM) for creating and managing your VPN connection?

The reason I ask is twofold, NM at least has a visible VPN indicator (small lock on lower right corner of NM tray icon) as well has options to reconnect automagically and has notifications letting you know if/when conection is made or dropped. Second reason is I didn't like what I read about the proton client on reddit, both the OP and the comment from user "ProtonMail" found here: https://www.reddit.com/r/ProtonVPN/comm ... tonvpncli/

If you want NM to handle the task, which it does very nicely, then follow the providers steps in generating a config to import into NM on this page:https://protonvpn.com/support/linux-vpn-setup/ in particular follow the Usage "Option A: Linux VPN setup using the Network Manager" instructions.

If your preference is set on using protonvpn-cli then the best bet may be to ask the dev team, they do appear very helpful and responsive as seen in the 289 comments to their support page posting: https://protonvpn.com/support/linux-vpn-tool/

Hope this helps!

Moem kōan 42: Should tool manufacturers be required to fix their products so that you cannot use their saws to cut the tree branch that you're sitting on?

(The answer to the ultimate question of life, the universe and everything is... 42!!;)

The reason I prefer to use protonvpn-cli is because I always get DNS leaks with NM. I used to know a workaourd for the DNS leaks on Mint 18.3, but it doesn't work anymore on Linux Mint 19.

As for the risk of the VPN disconnecting, I've set up Firewall rules, so that all my traffic goes through the VPN and it blocks everything in case the VPN drops.

ah yes, DNS leaking is a bit harder to prevent in Linux (versus using block-outside-dns ovpn setting for windows)... However, it can be done using NM by setting the ehternet or wifi adapter to use no DNS, either static IP address or DHCP Address only (and leave DNS blank). Then enforce that system-wide with firewall rules to block all in/out on all except the TUN (or TAP) adapter created for OpenVPN to operate on.
for example, when I run sudo ufw status verbose I get:

I just read your post and the good replies to it. Here are my thoughts on this as well.

I setup the protonvpn-cli on my system as well and I do not remember it asking, if I want to "Decrease OpenVPN privileges".

To install this open a console terminal, type in, or copy & paste, each line below one by one: Click "Select All" above command, right-click the highlighted command, select Copy (or Ctrl+Insert), click in the console terminal window, and right click paste ("Shift+Insert" or "Ctrl+Shift+v"), repeat for each command.
install dependencies

I setup the protonvpn-cli on my system as well and I do not remember it asking, if I want to "Decrease OpenVPN privileges".

Hi phd21, thanks for replying.

I believe they introduced it with the latest update. You'd only notice when creating a new profile.
Also, thanks for letting me know about the thread on DNS leaks. It was an interesting and useful read.